Re: [PATCH 09/11 net-next v5] bpf: remove ipv6_bpf_stub completely and use direct function calls

[Martin KaFai Lau <martin.lau@linux.dev>]

On 3/25/26 1:29 PM, Fernando Fernandez Mancera wrote:
> On 3/25/26 8:11 PM, Martin KaFai Lau wrote:
>> On 3/25/26 5:08 AM, Fernando Fernandez Mancera wrote:
>>> As IPv6 is built-in only, the ipv6_bpf_stub can be removed completely.
>>>
>>> Convert all ipv6_bpf_stub usage to direct function calls instead. The
>>> fallback functions introduced previously will prevent linkage errors
>>> when CONFIG_IPV6 is disabled.
>>
>> Thanks for working on this.
>>
>>> @@ -6221,8 +6215,8 @@ static int bpf_ipv4_fib_lookup(struct net *net, 
>>> struct bpf_fib_lookup *params,
>>>       if (likely(nhc->nhc_gw_family != AF_INET6))
>>>           neigh = __ipv4_neigh_lookup_noref(dev,
>>>                             (__force u32)params->ipv4_dst);
>>> -    else
>>> -        neigh = __ipv6_neigh_lookup_noref_stub(dev, params->ipv6_dst);
>>> +    else if (IS_ENABLED(CONFIG_IPV6))
>>> +        neigh = __ipv6_neigh_lookup_noref(dev, params->ipv6_dst);
>>
>> Should it be ipv6_mod_enabled() instead of IS_ENABLED(CONFIG_IPV6)?
>> Is nd_tbl always initialized?
>>
> 
> Hi Martin,
> 
> I don't think so. The IS_ENABLED(CONFIG_IPV6) check here is just to 
> prevent an undefined reference when compiling with CONFIG_IPV6=n. Note 
> that this code isn't reachable when ipv6.disable=1 is set during 
> booting, as it would have crashed even before this change because 
> ipv6_stub->nd_tbl is NULL if the IPV6 is disabled since booting.
> 
> We addressed the vulnerable paths already during this series:
> 
> https://lore.kernel.org/netdev/20260307-net-nd_tbl_fixes-v4-0- 
> e2677e85628c@suse.com/#
> 
>>>       if (!neigh || !(READ_ONCE(neigh->nud_state) & NUD_VALID))
>>>           return BPF_FIB_LKUP_RET_NO_NEIGH;
>>> @@ -6290,12 +6284,11 @@ static int bpf_ipv6_fib_lookup(struct net 
>>> *net, struct bpf_fib_lookup *params,
>>>               params->tbid = 0;
>>>           }
>>> -        tb = ipv6_stub->fib6_get_table(net, tbid);
>>> +        tb = fib6_get_table(net, tbid);
>>>           if (unlikely(!tb))
>>>               return BPF_FIB_LKUP_RET_NOT_FWDED;
>>> -        err = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, &res,
>>> -                           strict);
>>> +        err = fib6_table_lookup(net, tb, oif, &fl6, &res, strict);
>>
>> A similar question here and other changes in the patch.
>>
>> I think bpf_ipv6_fib_lookup() is fine because the earlier
>> "!idev" check should fail when ipv6 is disabled at boot time?
> 
> Yes, the !idev check prevents us to reach this path so it is safe to 
> call fib6_table_lookup().
> 
> While working on the series I have been trying to exploit these paths 
> (this one and other changes in the series), so far I didn't find anything.

Thanks for the explanation.

Reviewed-by: Martin KaFai Lau <martin.lau@kernel.org>